Process isolation using protection domains
First Claim
Patent Images
1. A computer-implemented method of isolating a plurality of operating system processes on a particular processor, the method comprising:
- using software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes;
grouping the plurality of operating system processes into a plurality of protection domains, each of the at least two operating system processes being grouped into a different protection domain; and
using hardware protection to prevent one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the one of the at least two operating system processes, the hardware protection operating as backup protection to the software protection.
2 Assignments
0 Petitions
Accused Products
Abstract
A first plurality of operating system processes is assigned to a first protection domain, and a second plurality of operating system processes is assigned to a second protection domain. One or more hardware protection mechanisms are used to prevent the first plurality of operating system processes from accessing the memory space of the second plurality of operating system processes, and also to prevent the second plurality of operating system processes from accessing the memory space of the first plurality of operating system processes.
129 Citations
20 Claims
-
1. A computer-implemented method of isolating a plurality of operating system processes on a particular processor, the method comprising:
-
using software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes; grouping the plurality of operating system processes into a plurality of protection domains, each of the at least two operating system processes being grouped into a different protection domain; and using hardware protection to prevent one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the one of the at least two operating system processes, the hardware protection operating as backup protection to the software protection. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. One or more computer readable media having stored thereon a plurality of instructions that, when executed by a particular processor, causes the processor to:
-
use software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes; group the plurality of operating system processes into a plurality of protection domains, one of the at least two operating system processes being grouped into a first protection domain and the other of the at least two operating system processes being grouped into a second protection domain; and use hardware protection to prevent the one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the first protection domain, the hardware protection operating as backup protection to the software protection, wherein the hardware protection includes a page table associated with the first protection domain that identifies memory pages that are accessible by the operating system processes of the first protection domain. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computing device comprising:
-
a processor; and a memory, coupled to the processor, the memory storing a plurality of instructions that, when executed by the processor, cause the processor to isolate a plurality of operating system processes on the processor from each other by; using software protection for at least two of the operating system processes to prevent each of the at least two operating system processes from accessing memory assigned to the other of the at least two operating system processes and to other processes of the plurality of operating system processes, the software protection further including preventing null pointers, references outside an array'"'"'s bounds, or references to deallocated memory; grouping the plurality of operating system processes into a plurality of protection domains, each of the at least two operating system processes being grouped into a different protection domain; and using hardware protection to prevent one of the at least two operating system processes from accessing memory assigned to another operating system process belonging to a different protection domain from the one of the at least two operating system processes, the hardware protection operating as backup protection to the software protection, wherein the hardware protection includes a page table associated with the protection domain having the one of the at least two processes, that protection domain identifying memory pages that are accessible by the operating system processes of that protection domain. - View Dependent Claims (18, 19, 20)
-
Specification